diff options
author | Lennart Poettering <lennart@poettering.net> | 2014-05-21 09:31:22 +0900 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-05-21 09:36:49 +0900 |
commit | f7dc3ab9f43b67abcbd34062b9352ab42debec49 (patch) | |
tree | 0a797055292a0741ef3f1cf473e3933926b42a74 | |
parent | f5c0c00f400e6f1fa58c5faf8bc93ca9057d4463 (diff) |
logind: don't apply RemoveIPC= to system users
We shouldn't destroy IPC objects of system users on logout.
http://lists.freedesktop.org/archives/systemd-devel/2014-April/018373.html
This introduces SYSTEM_UID_MAX defined to the maximum UID of system
users. This value is determined compile-time, either as configure switch
or from /etc/login.defs. (We don't read that file at runtime, since this
is really a choice for a system builder, not the end user.)
While we are at it we then also update journald to use SYSTEM_UID_MAX
when we decide whether to split out log data for a specific client.
-rw-r--r-- | Makefile.am | 4 | ||||
-rw-r--r-- | configure.ac | 22 | ||||
-rw-r--r-- | src/core/systemd.pc.in | 2 | ||||
-rw-r--r-- | src/journal/journald-server.c | 2 | ||||
-rw-r--r-- | src/shared/clean-ipc.c | 4 |
5 files changed, 30 insertions, 4 deletions
diff --git a/Makefile.am b/Makefile.am index f2a3bbd024..1808f801cb 100644 --- a/Makefile.am +++ b/Makefile.am @@ -4879,7 +4879,9 @@ substitutions = \ '|PYTHON=$(PYTHON)|' \ '|PYTHON_BINARY=$(PYTHON_BINARY)|' \ '|NTP_SERVERS=$(NTP_SERVERS)|' \ - '|DNS_SERVERS=$(DNS_SERVERS)|' + '|DNS_SERVERS=$(DNS_SERVERS)|' \ + '|systemuidmax=$(SYSTEM_UID_MAX)|' \ + '|systemgidmax=$(SYSTEM_GID_MAX)|' SED_PROCESS = \ $(AM_V_GEN)$(MKDIR_P) $(dir $@) && \ diff --git a/configure.ac b/configure.ac index 9a849ffe7b..c41f6c9a70 100644 --- a/configure.ac +++ b/configure.ac @@ -854,6 +854,26 @@ AC_ARG_WITH(time-epoch, AC_DEFINE_UNQUOTED(TIME_EPOCH, [$TIME_EPOCH], [Time Epoch]) # ------------------------------------------------------------------------------ +AC_ARG_WITH(system-uid-max, + AS_HELP_STRING([--with-system-uid-max=UID] + [Maximum UID for system users]), + [SYSTEM_UID_MAX="$withval"], + [SYSTEM_UID_MAX="`awk 'BEGIN { uid=999 } /^\s*SYS_UID_MAX\s+/ { uid=$2 } END { print uid }' /etc/login.defs 2>/dev/null || echo 999`"]) + +AC_DEFINE_UNQUOTED(SYSTEM_UID_MAX, [$SYSTEM_UID_MAX], [Maximum System UID]) +AC_SUBST(SYSTEM_UID_MAX) + +# ------------------------------------------------------------------------------ +AC_ARG_WITH(system-gid-max, + AS_HELP_STRING([--with-system-gid-max=GID] + [Maximum GID for system groups]), + [SYSTEM_GID_MAX="$withval"], + [SYSTEM_GID_MAX="`awk 'BEGIN { gid=999 } /^\s*SYS_GID_MAX\s+/ { gid=$2 } END { print gid }' /etc/login.defs 2>/dev/null || echo 999`"]) + +AC_DEFINE_UNQUOTED(SYSTEM_GID_MAX, [$SYSTEM_GID_MAX], [Maximum System GID]) +AC_SUBST(SYSTEM_GID_MAX) + +# ------------------------------------------------------------------------------ have_localed=no AC_ARG_ENABLE(localed, AS_HELP_STRING([--disable-localed], [disable locale daemon])) if test "x$enable_localed" != "xno"; then @@ -1256,6 +1276,8 @@ AC_MSG_RESULT([ Extra start script: ${RC_LOCAL_SCRIPT_PATH_START} Extra stop script: ${RC_LOCAL_SCRIPT_PATH_STOP} Debug shell: ${SUSHELL} @ ${DEBUGTTY} + Maximum System UID: ${SYSTEM_UID_MAX} + Maximum System GID: ${SYSTEM_GID_MAX} CFLAGS: ${OUR_CFLAGS} ${CFLAGS} CPPFLAGS: ${OUR_CPPFLAGS} ${CPPFLAGS} diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in index de0f6494e9..f8bccb5d6a 100644 --- a/src/core/systemd.pc.in +++ b/src/core/systemd.pc.in @@ -19,6 +19,8 @@ systemduserunitpath=${systemduserconfdir}:/etc/systemd/user:/run/systemd/user:/u systemdsystemgeneratordir=@systemgeneratordir@ systemdusergeneratordir=@usergeneratordir@ catalogdir=@catalogdir@ +systemuidmax=@systemuidmax@ +systemgidmax=@systemgidmax@ Name: systemd Description: systemd System and Service Manager diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c index 0439caf909..381d80a938 100644 --- a/src/journal/journald-server.c +++ b/src/journal/journald-server.c @@ -258,7 +258,7 @@ static JournalFile* find_journal(Server *s, uid_t uid) { if (s->runtime_journal) return s->runtime_journal; - if (uid <= 0) + if (uid <= SYSTEM_UID_MAX) return s->system_journal; r = sd_id128_get_machine(&machine); diff --git a/src/shared/clean-ipc.c b/src/shared/clean-ipc.c index ddd42cc2b2..cb1722614e 100644 --- a/src/shared/clean-ipc.c +++ b/src/shared/clean-ipc.c @@ -332,8 +332,8 @@ fail: int clean_ipc(uid_t uid) { int ret = 0, r; - /* Refuse to clean IPC of the root user */ - if (uid == 0) + /* Refuse to clean IPC of the root and system users */ + if (uid <= SYSTEM_UID_MAX) return 0; r = clean_sysvipc_shm(uid); |